openvms security update openvms security update openvms
play

OpenVMS Security Update OpenVMS Security Update OpenVMS Security - PDF document

OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut Ammer CSSC Mnchen CSSC Mnchen 1F06 1F06 25. DECUS Mnchen Symposium Bonn 2002 1 berblick berblick berblick OpenVMS Security


  1. OpenVMS Security Update OpenVMS Security Update OpenVMS Security Update Helmut Ammer Helmut Ammer CSSC München CSSC München 1F06 1F06 25. DECUS München Symposium Bonn 2002 1 Überblick Überblick Überblick � OpenVMS Security Roadmap � Rückblick � OpenVMS V7.3-1 � Zukunft � ACLs 2 *Previously announced; subject to change 1

  2. OpenVMS Security Roadmap OpenVMS Security Roadmap OpenVMS Security Roadmap 2005 2003 2004 2002 ITSEC C2 Security Evaluation on V7.2-2 Version 7.3-1 Version 7.x (Alpha only) (Alpha and VAX) • CDSA (For IPSEC) • Full external • OpenSSL API Published Authentication • SYS$ACM API Published support • Kerberos integration External Authentication Early Adopters Kit (EAK) Alternative Encryption for OpenVMS V1.6 Authentication • BIOMETRIC support 3 • Smartcard OpenVMS DECwindows MUP OpenVMS DECwindows MUP OpenVMS DECwindows MUP DECwindows Motif Server has a potential Security vulnerability that could be exploited to allow existing users unauthorized access to data and system resources. � CDs sind ausgeliefert. ECOs auf Webseiten � Reboot notwendig � Betroffen sind nur Systeme, welche DECwindows Server installiert haben � Alle supporteten Versionen von OpenVMS Alpha, OpenVMS VAX, SEVMS VAX or SEVMS Alpha wurden darauf untersucht. Alle supporten Versionen mit Ausnahme von OpenVMS VAX Version V5.5-2 sind betroffen 4 2

  3. DECwindows MUP MUP DECwindows DECwindows MUP � Betroffene supportete Versionen: – OpenVMS Alpha Version 6.2 einschl. aller zugeh. Hardware Releases (z.B. Version 6.2-1H1) – OpenVMS Alpha Version 7.1-2 – OpenVMS Alpha Version 7.2-1H1 – OpenVMS Alpha Version 7.2-2 – OpenVMS Alpha Version 7.3 – OpenVMS VAX Version 6.2 – OpenVMS VAX Version 7.1 – OpenVMS VAX Version 7.2 – OpenVMS VAX Version 7.3 – SEVMS Alpha Version 6.2 – SEVMS VAX Version 6.2 5 OpenVMS V7.3 OpenVMS V7.3 OpenVMS V7.3 � Kerberos V1.0 – based on MIT Kerberos Version 5 Release 1.0.5 – Client & KDC Server � Clusterwide Intrusion Detection � OpenSSL integrated in CSWS (mod_ssl) 6 3

  4. OpenVMS V7.3 OpenVMS V7.3- -1 1 OpenVMS V7.3-1 7 Kerberos Kerberos Kerberos � Kerberos V1.0 Security Client integriert in OpenVMS V7.3-1 � Zuvor ein Layered Product 8 4

  5. OpenSSL for OpenVMS Alpha OpenSSL for OpenVMS Alpha OpenSSL for OpenVMS Alpha � Portierung von OpenSSL 0.9.6B – Layered Product (ab V7.2-2 installierbar) – PCSI Kit beinhaltet � 32-bit SSL & Crypt libraries � 64-bit SSL & Crypt libraries � Eigenschaften: – 64-bit SSL und Crypto APIs (32 bit API’s as well) – Dokumentation & Beispiele � Neues Manual – Open Source Security on OpenVMS Alpha � ~200 SSL APIs (60 zuvor undokumentiert) � ~40 Crypt APIs (10 zuvor undokumentiert) – Certificate Tool 9 Common Data Security Architecture Common Data Security Architecture Common Data Security Architecture (CDSA) (CDSA) (CDSA) CDSA CDSA definiert definiert eine eine 4- 4 -layer layer Architektur Architektur Applications für für cross cross- -platform, platform, high- -level Security Services level Security Services high Layered Security Services CSSM definiert definiert ein ein CSSM common API & SPI common API & SPI CSSM Security API für Security Services Security Services für Common Security Services Manager and Integrity Base and Integrity Base Service Provider Interfaces Service Provider Service Provider implementieren implementieren selek selek- - Security Service Modules tierbare Security Services tierbare Security Services http://developer.intel.com/ial/security/ 10 http://sourceforge/projects/cdsa 5

  6. CDSA for OpenVMS CDSA for OpenVMS CDSA for OpenVMS � Auslieferung als Teil von V7.3-1 � Installierbar ab OpenVMS V7.2-2 � Basiert auf Intel CDSA V2.0 Release 3 � Voraussetzung für IPSEC � Enthält RSA & OpenSSL als Crypto Service Provider 11 CDSA for OpenVMS CDSA for OpenVMS CDSA for OpenVMS � CDSA beinhaltet: – CSSM Shared Library (Common Security Services Manager) – Header Files definieren CSSM APIs – CSPs (Cryptographic Service Provider) – MDS (Module Directory Services) ermöglicht Applikationen Service Provider zu lokalisieren 12 6

  7. OpenVMS Common User Authentication and Credential Management Model OpenVMS ACM SYSUAF..DAT LOGINOUT Extension Native Authentication Agent Authentication Common User External Authentication Agent and Credential Authentication Management Interface (ACM) Authority NT ACM PATHWORKS SYS$ACM Extension Kerberos ACME LOGIN ACM Extension LAN Manager The ability to have alternate external agents X.509 Public- supported by the OpenVMS Common User Key ACM Authentication Model will be in a future release. Extension SYS$ACM SYS$ACM SYS$ACM � Veröffentlicht und supportet in V7.3-1 � Reduziert Authentication Calls/Schritte von 12 auf 1! � Beispiel: CSWS for OpenVMS wird dies verwenden für Mod_Auth_vms � Teil 1 der vollen External Authentication Lösung – Teil 2 � NDA Document/EAK “ACME Developers Guide” � ACME Loginout & Set Password 14 7

  8. ACLs ACLs ACLs 15 Was Was sind sind ACLs ACLs und und ACEs ACEs Was sind ACLs und ACEs � ACL = Access Control List � Attribut eines Objekts � ACL ist eine geordnete Liste von Access Control Entries, oder ACEs � ACE Typ definiert – Erlaubt oder verbietet Zugriff aufs Objekt – Security Alarm oder Security Audit – Aktion beim Kreieren oder Benutzung des Objekts { ACE ACE ACL ACE 16 ACE 8

  9. Objekte die die ACLs ACLs unterstützen unterstützen Objekte Objekte die ACLs unterstützen � Files - Default � Logical Name Tables � Batch/Print Queues � Common Event Flag Clusters � Devices � Resource Domains � Volumes � Security Classes � System and Group � Capabilities Global Sections 17 Objekte die Objekte die ACLs ACLs unterstützen unterstützen Objekte die ACLs unterstützen � Resource Domains – Namespace controlling lock manager resources – $SET_RESOURCE_DOMAIN system service � Security Classes – Parent of all classes of protected objects – Protects template profiles for objects – See OpenVMS Guide to System Security manual 18 9

  10. Beispiele Beispiele Beispiele � ACL einer Logical Name Table LNM$SYSTEM_TABLE object of class LOGICAL_NAME_TABLE Owner: [SYSTEM] Protection: (System: RWC, Owner: RWC, Group: R, World: R) Access Control List: (IDENTIFIER=[PROXY,*],ACCESS=READ+WRITE) � RESOURCE_DOMAIN Security Class RESOURCE_DOMAIN object of class SECURITY_CLASS Owner: [SYSTEM] Protection: (System: RW, Owner: RW, Group: R, World: R) Access Control List: (IDENTIFIER=[TESTS],ACCESS=READ+WRITE+DELETE+CONTROL) 19 Typen Typen von von ACEs ACEs Typen von ACEs � Identifier ACE � Default Protection ACE � Creator ACE � Alarm and Audit Journal ACE � Subsystem ACE � Application ACE 20 10

  11. Identifier ACE Identifier ACE Identifier ACE � Der gebräuchlichste ACE � Zum Erlauben oder Verbieten von bestimmten Zugriffsrechten für Personen oder Gruppen (UIC) oder Besitzer eines bestimmten Identifiers oder environmental Identifiers 21 Identifier ACE Format - Identifier ACE Format - Identifiers Identifiers Identifier ACE Format - Identifiers (IDENTIFIER= identifier [+ identifier ...] [,OPTIONS= attributes [+ attributes ...]], ACCESS= access-type +[ access-type ...]) � ACE Identifier: – UICs – General identifiers – Environmental identifier � batch, network, interactive, local, dialup, remote 22 11

  12. Identifier ACE Format - - Options Options Identifier ACE Format Identifier ACE Format - Options (IDENTIFIER= identifier [+ identifier ...] [,OPTIONS= attributes [+ attributes ...]], ACCESS= access-type +[ access-type ...]) � Identifier ACE Options: – Default – Hidden – Protected – Nopropagate – None � default case meaning “no attributes” 23 Identifier ACE Format Identifier ACE Format - - Options Options Identifier ACE Format - Options � Default – Applies to directory files only – Describes ACE to be placed on a file created in this directory – DEFAULT attribute removed from the ACE when propagated – Has no effect on object access � Hidden – Indicates only application that created ACE ‘ should ’ change it – Valid for all ACE types, but intended for application ACE – Need SECURITY privilege to display a hidden ACE 24 12

  13. Identifier ACE Format - - Options Options Identifier ACE Format Identifier ACE Format - Options � Protected – Protects the ACE against casual deletion – Can only be deleted by � ACL Editor � $ SET SECURITY /ACL=<ace> /DELETE � $ SET SECURITY /ACL /DELETE=ALL � Nopropagate – Indicates that the ACE cannot be copied by operations that usually propagate ACEs � $ SET SECURITY /LIKE � $ SET SECURITY /DEFAULT 25 Identifier ACE Format Identifier ACE Format - - Access types Access types Identifier ACE Format - Access types (IDENTIFIER= identifier [+ identifier ...] [,OPTIONS= attributes [+ attributes ...]], ACCESS= access-type +[ access-type ...]) � Identifier ACE Access Types for Files: – READ – WRITE – EXECUTE – DELETE – CONTROL – NONE 26 13

Recommend


More recommend